I am trying to sign an OVA using a CA issued EV Code Signing Certificate. This certificate is stored in a USB HSM (Hardware Security Module) and private key cannot be exported. As I understand for the ovftool  "a public/private key pair and certificate that wraps the public key is required". But since keys cannot be exported stored in an HSM, the CA vendor suggested that the signing application must adheres to the PKCS #11 format. Do you know the ovftool supports this? If not what other alternatives are there to sign OVA using a CA issued EV Code Signing Certificate